RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,206 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

5206 Commits

Author SHA1 Message Date
Nicolas Iooss d1f92dae04
Vagrantfile: remove sudo 
The provisioning scripts are already run as root.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 18:12:34 +01:00
Nicolas Iooss d82115ac48
Vagrantfile: fix configuration 
"debian" needs to be used instead of "config" in the VM description.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-12-22 18:12:02 +01:00
Chris PeBenito 17f06cf1fe unconfined: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-12-02 08:47:19 -05:00
Chris PeBenito 9a04561643 Merge pull request #130 from pebenito/unconfined-systemd-user 2019-12-02 08:45:44 -05:00
Chris PeBenito 832face6f2 logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:27:14 -05:00
Chris PeBenito 9c3c525aa8 logging: Reorder lines. 
No rule change.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:26:50 -05:00
Sugar, David a9ae616800 resolve syslog imuxsock denial 
I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket  [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]

With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc:  denied  { create } for  pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc:  denied  { setattr } for  pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-11-23 10:24:13 -05:00
Chris PeBenito 0bfd1387ac Remove incorrect usages of "is" operator from Python scripts. 
Closes #128

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-11-23 10:12:53 -05:00
Chris PeBenito 45bd96f619 various: Module version bump. 2019-11-23 09:54:36 -05:00
Chris PeBenito 8fcd20b9f9 Merge pull request #127 from pebenito/unconfined-cap_userns 2019-11-23 09:51:42 -05:00
Chris PeBenito e05c589ae6 Merge pull request #127 from pebenito/unconfined-cap_userns 2019-11-23 09:51:28 -05:00
Chris PeBenito 42d115aa53 unconfined: Fix systemd --user rule. 
Use the full init_pgm_spec_user_daemon_domain() to ensure correct
permissions.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-22 16:39:35 -05:00
Chris PeBenito 87745f09d9 unconfined: Add namespaced capabilities. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-11-15 11:13:58 -05:00
Laurent Bigonville 53a76d3fb7 Allow alsa_t to set scheduling priority and send signal to itself 
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.

----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc:  denied  { setsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc:  denied  { getsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc:  denied  { signal } for  pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville 56a11f07c3 Allow alsa_t to create alsa_runtime_t file as well 
When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville 9b18951eb0 Allow realmd_t to read localization files 
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:148): avc:  denied  { open } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=262415 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { search } for  pid=1382 comm="realmd" name="locale" dev="dm-1" ino=262056 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:149): avc:  denied  { getattr } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
----

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:08:03 +01:00
Laurent Bigonville 69d88981bc Allow geoclue to log in syslog 
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:513): avc:  denied  { create } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:514): avc:  denied  { sendto } for  pid=1384 comm="geoclue" path="/run/systemd/journal/socket" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tc
lass=unix_dgram_socket permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" name="socket" dev="tmpfs" ino=1781 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:devlog_t:s0 tcla
ss=sock_file permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="journal" dev="tmpfs" ino=1777 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:syslogd_runtim
e_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="systemd" dev="tmpfs" ino=11001 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:init_runtime_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Laurent Bigonville 805f2d9cd4 Allow the systemd dbus-daemon to talk to systemd 
Recent versions of dbus are started as Type=notify

type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc:  denied  { write } for  pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-10-31 12:05:05 +01:00
Chris PeBenito 04a83b9616 init: Module version bump. 2019-10-31 04:12:24 -04:00
Chris PeBenito bb48674bd1 init: Whitespace change. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-31 03:33:14 -04:00
Sugar, David 36ebc670cb Add missing gen_require for init_t in init_script_domain 
Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-10-31 03:31:52 -04:00
Chris PeBenito 3952ecb4dd Fix file common ordering and kernel version from previous commit. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-31 03:09:14 -04:00
Chris PeBenito b7e5454fac
Merge pull request #124 from pebenito/watch 
Add watch access vectors.
 2019-10-29 07:11:51 -04:00
Chris PeBenito c656b97a28 Add file and filesystem watch access vectors. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-10-25 15:46:00 -04:00
Chris PeBenito e5dbe75276 Move open, audit_access, and execmod to file common. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2019-10-25 15:45:31 -04:00
Chris PeBenito 69cd9b4614 xserver: Move XDM dbus chats under main dbus optional. 2019-10-12 11:38:52 -04:00
Chris PeBenito 9731e44e43 xserver: Remove duplicate colord rule. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-12 11:37:00 -04:00
Chris PeBenito dffe3df251 fc_sort.py: Use "==" for comparing integers. 
"is" is for testing two references are the same object.  The fact that this
worked is specific to the Python implementation.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-08 15:45:27 -04:00
Chris PeBenito 3562ba3ca4 Merge pull request #118 from cgzones/fc_sort 2019-10-08 14:47:20 -04:00
Christian Göttsche 16af31d5a1 re-implement fc_sort in python 
fc_sort is the only/last build tool that requires a C compiler

Re-implement it in python, so that gcc dependencies can be dropped

The output of the C and the python version differ slightly in the order of equally specific file contexts

old:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /opt/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
    /usr/.*		system_u:object_r:usr_t
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /run/.*		<<none>>
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t

new:
    /.*		system_u:object_r:default_t
    /sys(/.*)?		system_u:object_r:sysfs_t
    /mnt(/[^/]*)		-l	system_u:object_r:mnt_t
    /mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
    /dev/.*		system_u:object_r:device_t
    /etc/.*		system_u:object_r:etc_t
    /opt/.*		system_u:object_r:usr_t
    /run/.*		<<none>>
    /srv/.*		system_u:object_r:var_t
    /tmp/.*		<<none>>
    /usr/.*		system_u:object_r:usr_t
    /var/.*		system_u:object_r:var_t
 2019-10-06 00:11:30 +02:00
Chris PeBenito 1f947b191d
Merge pull request #120 from cgzones/travis_lint_py 
travis: run check_fc_files linter with python 3.7
 2019-10-03 21:02:55 -04:00
Christian Göttsche 64ae3bb727 travis: run check_fc_files linter with python 3.7 2019-10-04 01:43:37 +02:00
Chris PeBenito 6f19979a2f gpg, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-10-03 19:05:05 -04:00
Chris PeBenito 17512a799d Merge pull request #117 from fishilico/gpg-crypto-fips 2019-10-03 18:59:04 -04:00
Chris PeBenito c26c3786c9 Merge pull request #116 from fishilico/systemd-kernel-coredump-transition 2019-10-03 18:59:02 -04:00
Chris PeBenito a00fbd47d5
Merge pull request #115 from cgzones/fixpy 
segenxml.py: fix format usage in warning message
 2019-10-03 18:58:37 -04:00
Chris PeBenito 4d614d4a5d
Merge pull request #114 from cgzones/samename 
fix Makefile for policy-module directories with same ending
 2019-10-03 18:57:54 -04:00
Chris PeBenito c83202c20b
Merge pull request #113 from fishilico/travis-fc-typo-checker 
.travis.yml: check the .fc files in CI
 2019-10-03 18:56:26 -04:00
Chris PeBenito 2da74e1169
Merge pull request #119 from cgzones/py3 
travis: force the use of python3.5
 2019-10-03 18:53:26 -04:00
Christian Göttsche 1fa8caec19 travis: force the use of python3.5 
python3.5 is the oldest available one on bionic (though refpolicy requires only 3.4)

Also print the python3 (not 2) version during build
 2019-10-04 00:18:34 +02:00
Nicolas Iooss 15151782bd
gpg: allow gpg-agent to read crypto.fips_enabled sysctl 
On Debian 10, when gpg-agent starts, it reads crypto.fips_enabled:

    type=AVC msg=audit(1569958604.280:42): avc:  denied  { open } for
    pid=329 comm="gpg-agent" path="/proc/sys/crypto/fips_enabled"
    dev="proc" ino=14687 scontext=sysadm_u:sysadm_r:gpg_agent_t
    tcontext=system_u:object_r:sysctl_crypto_t tclass=file permissive=1

    type=AVC msg=audit(1569958604.280:42): avc:  denied  { read } for
    pid=329 comm="gpg-agent" name="fips_enabled" dev="proc" ino=14687
    scontext=sysadm_u:sysadm_r:gpg_agent_t
    tcontext=system_u:object_r:sysctl_crypto_t tclass=file permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-10-01 21:58:24 +02:00
Nicolas Iooss 90a2688712
systemd: make the kernel spawn systemd-coredump with a context transition 
On Arch Linux, /proc/sys/kernel/core_pattern contains:

    |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h

When a crash happens in a userspace application, this setting makes the
kernel spawn /usr/lib/systemd/systemd-coredump from kernel_t:

    type=AVC msg=audit(1569910108.877:336): avc:  denied  { execute }
    for  pid=1087 comm="kworker/u2:3" name="systemd-coredump" dev="vda1"
    ino=406365 scontext=system_u:system_r:kernel_t
    tcontext=system_u:object_r:systemd_coredump_exec_t tclass=file
    permissive=1

Introduce a transition to systemd_coredump_t to handle this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-10-01 21:30:29 +02:00
Christian Göttsche 67a27c2738 segenxml.py: fix format usage in warning message 2019-10-01 20:38:58 +02:00
Christian Göttsche 25bb0cab98 fix Makefile for policy-module directories with same ending 
Currently policy module directories must have a same ending.
Reproduce with:

  mv policy/modules/admin/ policy/modules/adminapps
  make conf

Results in:

  ...
  cat policy/modules/adminapps/metadata.xml policy/modules/apps/metadata.xml > tmp/apps.xml
  ...
  doc/policy.xml:4332: element layer: validity error : Element layer content does not follow the DTD, expecting (summary , module+), got (summary summary module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module module )
  Document doc/policy.xml does not validate against doc/policy.dtd
  make: *** [Makefile:452: doc/policy.xml] Error 3

Add a leading slash to the filter pattern, to not match partial names
 2019-10-01 20:24:29 +02:00
Nicolas Iooss 3b698bd9e4
.travis.yml: check the .fc files in CI 
Now that all issues reported by testing/check_fc_files.py have been
fixed, call this script in Travis-CI in order to prevent common errors
from being introduced in .fc files.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-10-01 19:54:17 +02:00
Chris PeBenito 324ecfe95c
Merge pull request #74 from fishilico/fc-typo-checker 
Check the .fc files for common typos
 2019-09-30 21:14:42 -04:00
Chris PeBenito 52e9d4daf0 filesystem, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-09-30 20:57:29 -04:00
Chris PeBenito 1a124285df Merge pull request #112 from fishilico/systemd-sd-executor-use 2019-09-30 20:43:01 -04:00
Chris PeBenito 1a30ab4fd8 Merge pull request #111 from fishilico/filesystem-fs_rw_cgroup_files-follow-symlink 2019-09-30 20:42:21 -04:00
Chris PeBenito 8ae2ff179c Merge pull request #109 from fishilico/travis-ubuntu-1804 2019-09-30 20:41:52 -04:00